Pathlock’s Gartner inclusion signals a broader shift in IGA

At a glance

What this is: This is Pathlock’s announcement that Gartner named it a Representative Vendor in the 2025 Market Guide for Identity Governance and Administration, alongside market data showing IGA adoption is being driven by security and business enablement.

Why it matters: It matters because IGA is no longer being judged only on compliance coverage, but on how well it supports lifecycle control, access governance, and risk reduction across hybrid identity programmes.

By the numbers:

• The IGA market worldwide grew 9.2% from 2023 to 2024, with forecast 2024 to 2025 growth of 10.7%, as of 2Q25.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Pathlock’s analysis of the 2025 Gartner Market Guide for IGA

Context

Identity governance and administration is moving from a compliance-led control set to a broader access-risk and business-enablement discipline. That shift matters because hybrid estates now span human users, service accounts, applications, and, increasingly, AI-driven workflows that all need lifecycle control.

Pathlock’s announcement is best read through that lens, not as a vendor milestone. Gartner’s market framing suggests that buyers now expect IGA to support provisioning, access reviews, segregation of duties, and continuous visibility across mixed environments, which raises the bar for every identity programme.

Key questions

Q: How should IAM teams measure whether IGA is actually working?

A: They should measure whether IGA reduces risky access conditions, not just whether reviews are completed on time. Strong signals include fewer toxic role combinations, shorter exception lifetimes, lower stale entitlement counts, and faster removal of access that is no longer justified by business need.

Q: Why does IGA need to move beyond compliance reporting?

A: Because compliance reporting only proves that controls were documented at a point in time. Modern identity environments change too quickly for that to be enough, so IGA must also show whether access is still appropriate, whether exceptions are controlled, and whether governance is reducing real operational risk.

Q: What breaks when access reviews are the only governance control?

A: The programme misses entitlement drift between review cycles, especially in hybrid estates with frequent application change and temporary elevation. Access may remain approved on paper while the underlying risk has already changed, which leaves toxic access combinations and stale privileges in place too long.

Q: Who should own identity governance in a hybrid enterprise?

A: Ownership should sit with a shared identity governance function, but the control outcomes must involve IAM, application owners, PAM teams, and security leadership. If governance is isolated from operational control data, it becomes slow, shallow, and too easy to comply with without reducing risk.

Technical breakdown

Why IGA is shifting beyond compliance-only governance

IGA has traditionally focused on who gets access, who reviews it, and whether the organisation can prove control to auditors. The market is now broadening because access governance also affects operational resilience, application risk, and change velocity. In hybrid environments, identity data is no longer enough on its own. Security teams need usage context, entitlement relationships, and exception handling to understand whether access is merely documented or actually controlled. That is why modern IGA increasingly overlaps with risk analytics, privileged access oversight, and continuous control monitoring.

Practical implication: treat IGA as an operational control plane, not just an audit evidence source.

How fine-grained segregation of duties changes control design

Segregation of duties, or SoD, prevents a single identity from holding combinations of access that create fraud, misuse, or control failure risk. Fine-grained SoD analysis matters because application environments rarely fit broad role templates cleanly. In practice, organisations need entitlement-level modelling, not just role-level approvals, so they can spot toxic combinations across ERP, finance, HR, and custom business systems. The hard part is not writing the policy. It is maintaining accurate mappings as applications, workflows, and delegated administration paths change over time.

Practical implication: model SoD at entitlement level for the systems where business abuse risk is highest.

Why continuous controls monitoring matters in hybrid access environments

Continuous controls monitoring links identity governance to live evidence. Instead of waiting for periodic reviews, it checks whether access remains appropriate, whether exceptions have expired, and whether privileged access is being used as approved. That matters in complex application landscapes where stale access, inherited permissions, and elevated access often persist longer than teams assume. Without continuous monitoring, IGA becomes a point-in-time exercise that can miss drift between certification cycles. The strongest programmes use monitoring to prioritise where human review is still needed and where policy can be enforced automatically.

Practical implication: combine review workflows with continuous monitoring so access drift is detected before the next certification cycle.

Threat narrative

Attacker objective: The attacker or abusive insider aims to turn poorly governed access into sustained control over business-critical applications, data, or approval workflows.

1. Entry begins when identities accumulate access across multiple enterprise applications faster than governance processes can reconcile them.
2. Escalation occurs when broad or overlapping entitlements create segregation-of-duties conflicts, privileged paths, or unreviewed exceptions that expand effective access.
3. Impact follows when ungoverned access leads to audit failure, control breakdown, or misuse of business-critical systems and data.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

IGA is now a business control, not a compliance wrapper. Gartner’s market framing shows that buyers are asking IGA to support security outcomes, operational efficiency, and audit readiness at the same time. That broadening is sensible because identity governance sits on the path between access approval and business execution. Practitioners should evaluate IGA programmes on control coverage and decision quality, not certification volume alone.

Fine-grained governance is becoming the only credible answer to application sprawl. Broad roles collapse too easily in complex enterprise estates, especially where finance, ERP, HR, and custom applications intersect. Pathlock’s positioning reflects a wider market truth: coarse entitlements do not give enough fidelity to manage SoD, privilege creep, or delegated administration safely. The implication is that governance teams need entitlement precision where business risk is highest.

Continuous controls monitoring is the missing layer in many IGA programmes. Access review cadences are too slow on their own to keep up with hybrid application change, temporary elevation, and inherited permissions. A programme that only certifies access periodically will always lag behind real entitlement drift. The practitioner takeaway is to use monitoring to surface exceptions continuously and reserve human review for the highest-risk cases.

Identity governance is converging with identity security operations. The market signal here is not simply larger IGA budgets, but a move toward risk-aware controls that connect entitlement data, usage data, and policy enforcement. That convergence matters because modern identity teams cannot separate governance from operational security anymore. Practitioners should plan for IGA, PAM, and security analytics to work as one control stack where business-critical access is concerned.

Lifecycle governance remains the foundation, but the metric of success is changing. Identity life cycle management is still the core discipline underneath IGA, yet the market is now rewarding programmes that prove reduced risk and faster business enablement. That changes the question from whether identities are provisioned and certified to whether access decisions actually improve control outcomes. Practitioners should reset their IGA scorecards around risk reduction and workflow efficiency, not just policy completion.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still operate without complete machine-identity inventory.
• That visibility gap is why practitioners should also use the NHI Lifecycle Management Guide to connect governance reviews to provisioning, rotation, and offboarding.

What this signals

IGA programmes are being forced to prove control quality, not just control existence. As access risk becomes a board-level concern, the programme that only records approvals will look increasingly incomplete. The practical shift is toward control evidence that combines entitlement context, usage data, and exception handling in one view.

With 97% of NHIs carrying excessive privileges, per the Ultimate Guide to NHIs, identity governance cannot stay focused on human joiner-mover-leaver workflows alone. The same entitlement sprawl problem now spans service accounts, applications, and automated processes, so governance teams need a broader control model.

Identity governance is converging with operational security and lifecycle management. Practitioners should expect fewer clean separations between access certification, privileged access, and continuous monitoring. Teams that can connect these functions will be better placed to reduce risk without slowing business change.

For practitioners

• Rebuild IGA success metrics Measure reduction in toxic access combinations, stale entitlements, and exception age alongside certification completion rates. If the programme cannot show fewer risky access patterns, it is delivering paperwork rather than governance.
• Prioritise high-risk application clusters Start with ERP, finance, HR, and custom systems where segregation-of-duties failures create material control exposure. Model entitlements precisely enough to detect conflicting access across application boundaries.
• Add continuous monitoring to review cycles Use live entitlement and usage signals to flag expired exceptions, inherited privilege, and elevated access that has outlived its approval. Let periodic reviews handle attestation, not discovery.
• Align governance, PAM, and security analytics Connect identity review data, privileged session data, and policy exceptions so reviewers can see whether access was used as approved. This is the fastest way to turn governance findings into operational action.

Key takeaways

• The article reflects a market shift in which IGA is being judged on security and business outcomes, not compliance alone.
• Gartner cites 9.2% market growth, underscoring that identity governance is becoming a larger part of enterprise risk management.
• Practitioners should align governance, lifecycle control, and continuous monitoring so access decisions improve both resilience and efficiency.

Key terms

• Identity Governance And Administration: Identity Governance and Administration is the control discipline that decides who should have access, who approves it, and how that access is reviewed over time. In practice it spans provisioning, certification, segregation of duties, and exception handling across human, application, and machine identities.
• Segregation Of Duties: Segregation of Duties is the rule that prevents one identity from holding combinations of access that create fraud, misuse, or control failure risk. It is most effective when modelled at entitlement level, because broad roles often hide the exact access combinations that create exposure.
• Continuous Controls Monitoring: Continuous Controls Monitoring is the practice of checking access and control conditions as they change, rather than waiting for periodic review cycles. For identity programmes, it helps detect stale access, expired exceptions, and privilege drift before the next certification round.
• Privilege Drift: Privilege drift is the gradual expansion or persistence of access beyond what was originally approved or intended. It appears when entitlements accumulate, exceptions linger, or delegated paths are not revalidated, creating a gap between documented governance and actual effective access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Pathlock: Pathlock included in the 2025 Gartner Market Guide for Identity Governance and Administration as a Representative Vendor. Read the original.